On Monday, 27 September 2010 20:58:19 Henrik "Størner" wrote:
In <201009271934.40635.bgmilne at staff.telkomsa.net> Buchan Milne <bgmilne at staff.telkomsa.net> writes:
On Thursday, 23 September 2010 14:18:51 Henrik "St=C3=B8rner" wrote:
The major problem with this is that Xymon uses the OpenLDAP library to talk to the LDAP server (the LDAP protocol itself is a bit too complex for Xymon to do on its own). And OpenLDAP only supports the RFC-way of doing SSL.
This isn't true. Almost all LDAP client software (pam_ldap, nss_ldap, samba= ,=20 freeradius, ldapsearch etc., apache mod_ldap, etc., to name a few) using=20 OpenLDAP libldap (at least with OpenSSL, I'm not too familiar with=20 OpenLDAP+gnutls) supports original Netscape-style ldaps (which is usually o= n=20 port 636).
Okay, I haven't looked at OpenLDAP since I implemented the LDAP tests (quite some time ago). The SSL support then wasn't documented at all, so I had to go by some sample code included with the library. If that has changed and we can support port-636-ldaps somehow then sure - let's do it. We probably need to invent a different tag in bb-hosts for it, but that's a minor problem.
Most people will expect "ldaps" to mean LDAP over SSL.. IMHO, we should either create a new tag for LDAP with STARTTLS, or use a bind extension in the existing ldap tag (IOW, keep it a quasi-valid LDAP URI).
AFAIK, there is no standard bind extension for starttls, but we could use something like:
ldap://hostname/????starttls
(or: ldap://ldap.mydomain.com/dc=mydomain,dc=com?uid?sub?"(uid=testuser)"?starttls )
Regards, Buchan